End of the line for Ireland's dotcom star

[Peter Gutmann]

John Young <jya at pipeline.com> writes:

>Who at Baltimore, or was once there, is likely to be able to account for the
>security of the certs for customers who still rely upon them? Not somebody to
>spin a fairy tale, but to truthfully explain what Baltimore has done to avoid
>betraying the trust of its customers, or handing that trust over to others who
>may not have Baltimore's scruples or be bound by its promises.

Is it really that big a deal though?  You're only ever as secure as the *least
secure* of the 100+ CAs automatically trusted by MSIE/CryptoAPI and Mozilla,
and I suspect that a number of those (ones with 512-bit keys or moribund web
sites indicating that the owner has disappeared) are much more of a risk than
the GTE/Baltimore/beTRUSTed/whoever-will-follow-them succession.

The real lesson of this, I think, is the observation that "The company would
have done better to concentrate on making its core PKI technology easier to
deploy", which applies to most other PKI vendors and products as well.
Baltimore had the bizarre business strategy of using revenue from its PKI
products as a means of driving/funding work in its other product branches,
which is a bit like a drowning man going for a boat anchor as his most likely
flotation device.

Peter (curently flooded with Linux VPN mail, please be patient).

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com